CVE-2025-46557

Name of the Vulnerable Software and Affected Versions XWiki versions 15.3-rc-1 through 15.10.14 XWiki versions 16.0.0-rc-1 through 16.4.6 XWiki versions 16.5.0-rc-1 through 16.10.0-rc-1

Description The issue allows a user with access to pages in the XWiki space to access the XWiki.Authentication.Administration page and switch to another installed authenticator, unless an authenticator is set in xwiki.cfg. By default, only the Standard XWiki Authenticator is available, so if no authenticator extension was installed, the impact is limited. In cases where an SSO authenticator is installed and used, the worst an attacker can do is break authentication by switching back to the standard authenticator, as it's impossible to login to a user without a stored password.

Recommendations For XWiki versions 15.3-rc-1 through 15.10.14, update to version 15.10.14 or later. For XWiki versions 16.0.0-rc-1 through 16.4.6, update to version 16.4.6 or later. For XWiki versions 16.5.0-rc-1 through 16.10.0-rc-1, update to version 16.10.0-rc-1 or later. As a temporary workaround, consider configuring an authenticator in xwiki.cfg to prevent switching to another authenticator.